b" INSPEGrOR GENERAL\n\n                                                                             IG-W-021\n\n\n\n\n  UNITED STATES INTERNATIONAL TRADE COMMISSION\n\n                                WASHINGTON. D.C. 20436\n\nApril I, 1999\n\nMEMORANDUM\n\nTO               Director, Office of Information Services\n\nFROM             Inspector GenertMtd:           ~d~~\nSUBJECT          Inspection Report 03-99, Review ofthe Electronic Dockets Information\n                 System's Security\n\nThe Office of Inspector General (OIG) initiated this mspecuon In March 1998 at the\nrequest of the Director of the Office of Information Services (OIS) The Director OIS\nrequested this inspection because the Commission plans to implement a new system\ncommonly referred to as EDIS On-Line.\n\nEDIS On-Line is a component of the Electronic Dockets Information System (EDIS)\nwhich the Secretary of the Commission uses to manage the Intake and dissemination of\nCommission public and non-public documents. EDIS On-Line will allow the general\npublic (external users) to access the pubic documents contained in the docket via the\nInternet while allowing Commission employees (internal users) access to public and non-\npublic documents in the docket via the Commission's Intranet.\n\nThe objective was to confirm that external users are restricted to public areas ofthe EDIS\nOn-Line system and identify potential security risks. We found that. within the limited\nparameters of this assessment, external users were properly limited to information in the\npublic directories. However, the testing revealed several potential security-related\nconsiderations that would enhance the security of ED IS On-Line.\n\nThe OIG contracted with the Computer Sciences Corporation (CSC) to conduct a\nvulnerability assessment of ED IS On-Line. In March 1999, a CSC engineer inspected\nthe network architecture and configuration of EOIS On-Line. and from its commercial\nlaboratory site in Maryland, used proprietary scanning tools and other auxiliary tools to\nperform several tests on EDIS On-Line. The testing was comprised of initial port\nscanning, Hydra vulnerability scanning. access control testing, and web site mapping.\n\nCSC suggested changes that would enhance the security ofEDISOn-Line. These include\nlimiting the number ofunsuccessful authentication attempts, separating public and non-\npublic data on separate servers, increasing access controls, upgrading a software no\nlonger in production to an active one, considering the use of a commercial product to\n\x0ccontrol access to information, implementing a checking mechanism for all external\nvariables, and limiting access to internal printers to internal users.\n\nA drali ofthis report was sent to the Director OIS on March 22,1999. The DirectorOIS\nimplemented three of CSC's suggestions immediately on limiting authentication\nattempts, checking external variables and limiting printer access. He is planning to\nincorporate the suggestions on separating data and purchasing sotiware in active\ndevelopment as a part of planned upgrades. He is evaluating the feasibility of the\nremaining two suggestions.\n\nThe ahove procedures constitute an inspection made in accordance with the President's\nCouncil on Integrity and Efficiency Standards for Inspections.\n\nIf you have any questions, please contact me at 205-2210\n\nAttachment\n\nce. Commission\n\n\n\n\n                                          2\n\x0c"